Archive for August, 2011


France Introduces Data Security Breach Notification Requirement for Electronic Communication Service Providers

August 30, 2011

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  In particular, the Ordinance introduces new provisions under the French Data Protection Act, which impose an obligation on electronic communication service providers to provide notice in the event of a data security breach.

These new provisions apply only to companies that process personal data as part of electronic communication services they provide through a public network (e.g., ISPs or telecom operators).  A data security breach is defined as any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorized access to personal data that is being processed in the context of electronic communication services that are provided to the public.

If such a security breach occurs, the electronic communication service provider must inform without delay the French Data Protection Authority (the “CNIL”).  If the breach is likely to impact subscribers’ (or any other individual’s) right to the protection of personal data or right to privacy, the service provider also must inform the potentially affected individuals without delay.  The service provider is not required to inform affected individuals if the CNIL determines that appropriate protective measures have been implemented to render the data in question inaccessible or indecipherable by unauthorized individuals.  However, in the absence of such protective measures, and after investigating the seriousness of the breach, the CNIL may send a legal notice to the service provider requesting that it inform the affected individuals.

Companies in the telecom industry also are required to maintain (and make available to the CNIL at all times) an inventory of all data security breaches they have experienced, including a description of each breach, its impact, and the measures the company implemented to remediate the situation.  Non-compliance with these provisions is punishable by up to five years of imprisonment and a €300,000 fine.

Source France Introduces Data Security Breach Notification Requirement for Electronic Communication Service Providers


Security the main obstacle for cloud adoption in India, says report

August 29, 2011

Almost 55 per cent of the IT decision makers in India has reported a security issue with their cloud provider within the last 12 months, said a survey made by Trend Micro, the global cloud security provider.

In India, 60 per cent of respondents has out at the apprehension over security which is the main cause for holding back their adoption of cloud computing. On the other hand, the survey has mentioned that Indian enterprises expressed a higher level of concerns about cloud computing services than enterprises from other places.

Source Security the main obstacle for cloud adoption in India, says report 


Google Sued in Massachusetts for Scanning Emails Sent To Gmail Account

August 24, 2011

A Massachusetts woman filed a class action suit in Mass. state court against Google on July 29, alleging that Google violated Massachusetts’ wiretap law by scanning messages she sent from her AOL account to recipients’ Gmail accounts. Massachusetts is one of several states that require all parties to give their consent to the interception or recording of communications (unlike federal law and the laws in a majority of states, which only require consent from one party to the communication). MGL Ch. 272 § 99(B)(4); § 99(C)(1).

Google uses automated technology to scan emails sent through the Gmail system to serve relevant advertisements to Gmail users. Users signing up for a Gmail account must consent to such scanning in order to register. In the complaint, the plaintiff stated that as a non-Gmail user, she never gave Google her consent to scan emails she sent to recipients with Gmail addresses, and that her “personal or property interests or privacy” were violated by Google’s automated email scanning.


Google Sued in Massachusetts for Scanning Emails Sent To Gmail Account


Public cloud providers must take data loss liability

August 20, 2011

Paul Maritz , CEO of VMware, the leader in virtualization technology, which is the foundation of cloud computing, says public cloud providers need to take responsibility for any loss of client data if enterprises are to embrace public clouds. Extracts from an exclusive interview to TOI:

What are the challenges you see in public cloud adoption?

We have to ensure customers get the quality of service they expect in public clouds, ensure that the user interface of how they do IT externally is the same as how they do IT internally. You also often hear the issue of liability in clouds. What happens if I put my application in your cloud and something bad happens, who is going to pay for that. The first generation cloud providers are very clear in their answer: we take no liability. That’s an unacceptable answer, and that’s one of the reasons why businesses have only just experimented with the cloud, and have not put any serious applications into the cloud.

Source `Public cloud providers must take data loss liability’


Google improving privacy policies, says information commissioner

August 18, 2011

Google has “taken reasonable steps” to improve its privacy policies since its Street View mapping cars unlawfully captured data last year, the information commissioner said on Tuesday.

The internet giant vowed to improve how it handles users’ data in November, after the Information Commissioner’s Office ruled it committed a “significant breach” of the data protection act when its mapping cars toured UK towns and cities.

Source Google improving privacy policies, says information commissioner


Man reveals secret recipe behind undeletable cookies

August 17, 2011

A privacy researcher has revealed the evil genius behind a for-profit web
analytics service capable of following users across more than 500 sites, even
when all cookie storage was disabled and sites were viewed using a browser’s
privacy mode.

The technique, which worked with sites including Hulu, Spotify and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the websites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user’s browsing history across two or more different browsers. It came to light only after academic researchers published a paper late last month.

Source Man reveals secret recipe behind undeletable cookies



S. Korea plans to scrap online real-name system

August 16, 2011

The South Korea government will push ahead with plans to scrap the current real-name system for Internet users in the wake of the country’s worst online security breach, local media reported Thursday.  The Ministry of Public Administration and Security is set to report to ruling party lawmakers about comprehensive measures to protect personal information online, including abolishing the real- name registration system, Yonhap news agency said.

The real-name system, introduced in 2007, requires people to use their real
names and resident registration numbers when making online postings on websites
with more than 100,000 visitors per day.

Source S. Korea plans to scrap online real-name system